I have no responsibility whatsoever if this guideline causes any harm to your device. The intention of these posts are solely as personal notes for myself. Follow them at your own risk.<\/p>\n\n\n\n
Through these steps I will unlock the phone’s bootloader, erasing all data. This includes the DRM keys stored in the Trim Area (TA) partition. I’ll attempt backing them up but, as of today, there is no way of restoring them to the previous state nor knowing if the actual backup is usable at all.<\/p>\n\n\n\n
Without these DRM keys, several audio and video proprietary functionality provided by Sony won’t be available<\/a> including some camera post-processing features<\/strong>, color gamut profiles, white balance, noise reduction, X-Reality Video Enhancement, DSEE HX, ClearAudio+, and Widevine L1 support for HD Netflix.<\/p>\n\n\n\n I want to have a phone running Free Software with the possibility of using all the major apps out there. That means, unfortunately<\/a>, some kind of Android flavor. I also want a small phone and, since I’m a Spaniard living in Finland, I’d like that my phone has dual SIM capability. Until now I was using a Xiaomi Redmi 2<\/a> but, after years of usage, I cannot squeeze it any more. I’d also love to have a decent camera, if possible.<\/p>\n\n\n\n After quite some research, my conclusion is that the only real alternative that ticks (most of) the boxes is the Sony Xperia XZ2 Compact Dual<\/a>.<\/p>\n\n\n\n I’ll be doing all the stems in a Debian Buster GNU\/Linux distribution on a x86_64 platform.<\/p>\n\n\n\n If you have read the warning above, you now know that installing LineageOS implies unlocking the bootloader. In turn, this means wiping the TA partition and losing the DRM keys, which will cause several advanced audio and video features to get lost forever.<\/p>\n\n\n\n We want to keep the hope that, at least, we would be able to restore this functionality. This means that we want to backup the TA partition. Doing that without actually unlocking the bootloader is not really possible … unless you exploit a security bug.<\/p>\n\n\n\n The Sony firmwares build 52.1.A.0.618 contains one such kernel bug. Therefore, first thing, downgrading the current firmware in the device to use the one affected.<\/p>\n\n\n\n As a previous step, I downloaded the firmware that was running in my device at the time: 8324_Customized NOBA_1313-6167_52.1.A.3.49_R4C<\/p>\n\n\n\n For downloading the up to date firmware I used the XperiFirm<\/a> program:<\/p>\n\n\n\n Then, I selected the Xperia XZ2 Compact<\/strong> Apollo<\/em>: H8324<\/strong> dual<\/em> phone and downloaded the Nordic Combined<\/strong> available firmware.<\/p>\n\n\n\n Now, I downloaded and extracted the exploitable H8324-52.1.A.0.618<\/a> firmware for the Xperia XZ2 Compact Dual and followed this guide<\/a> to install it into the phone without unlocking the bootloader.<\/p>\n\n\n\n We want to use the Flashtool<\/a> to create a bundle<\/em> with the parts of the firmware we are going to use.<\/p>\n\n\n\n I downloaded the latest version<\/a> of the tool (0.9.29.0 at the time) and tried to launch it:<\/p>\n\n\n\n Bad news … it seems this version was compiled against a different C toolchain? Let’s use an older version then. 0.9.27.0<\/a> it is.<\/p>\n\n\n\n Voil\u00e1!<\/p>\n\n\n\n In the UI, we select Tools -> Bundles -> FILESET Decrypt<\/em>. In the popping up Window we browse to the folder containing the exploitable firmware: H8324_Customized FR_1313-2469_52.1.A.0.618_R2C<\/em>. There, we choose the 3 zip files that it contains and move it from the left side to the right side in the window and click Convert<\/em>.<\/p>\n\n\n\n Once it has finished, we want to skip creating the bundle by just pressing Cancel<\/em> in the next window. We have finished using flastool<\/em>.<\/p>\n\n\n\n In the exploitable firmware directory we now have a new folder called decrypted<\/em>. We want to delete some files there:<\/p>\n\n\n\n Before we proceed to flash, we need to add some rules to the udev<\/em> system in our computer so it can identify the Xperia phone:<\/p>\n\n\n\n Now, we want to use another tool to flash these files into the phone: newflasher<\/a>. I downloaded<\/a> the latest v36 version, extracted, placed the executable in the decrypted<\/em> folder from the previous step:<\/p>\n\n\n\n Last thing is setting the phone into flashmode<\/em>.<\/p>\n\n\n\n First, let’s enable developer mode in the phone: Settings -> About phone<\/em>, and hit several times the Build number<\/em> field until it states that you have become a developer. Then, go to Settings -> System -> Advanced -> Developer options<\/em> and switch on the USB debugging<\/em> option.<\/p>\n\n\n\n Now, power down the phone. Once off, press and hold Volume Down<\/kbd> and connect the USB cable that is connected to the computer in the other end. The led of the phone turns on and stays on. It is now into flashmode. Let’s flash:<\/p>\n\n\n\n Notice the questions and the answers. After a while, the phone will complete its reboot and we will be able to verify that the running firmware is the one flashed.<\/p>\n\n\n\n That all by now, next step: backing up the TA partition<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":" WARNING I have no responsibility whatsoever if this guideline causes any harm to your device. The intention of these posts are solely as personal notes for myself. Follow them at your own risk. WARNING Through these steps I will unlock … Sigue leyendo Why<\/h2>\n\n\n\n
Preconditions<\/h2>\n\n\n\n
Downgrading the stock firmware<\/h2>\n\n\n\n
root$ apt install mono-complete\nroot$ cert-sync \/etc\/ssl\/certs\/ca-certificates.crt\nroot$ certmgr -ssl -m https:\/\/software.sonymobile.com\n(Entered Y twice when asked)\n$ mono XperiFirm.exe<\/pre>\n\n\n\n
root$ DISPLAY=:0.0 .\/FlashTool\nRunning as root.\nError: dl failure on line 603\nError: failed \/home\/tanty\/personal\/sony_xperia_xz2c\/flashtool\/FlashTool\/x10flasher_native\/jre\/lib\/server\/libjvm.so, because \/lib\/x86_64-linux-gnu\/libm.so.6: version `GLIBC_2.29' not found (required by \/home\/tant\ny\/personal\/sony_xperia_xz2c\/flashtool\/FlashTool\/x10flasher_native\/jre\/lib\/server\/libjvm.so)<\/pre>\n\n\n\n
root$ DISPLAY=:0.0 .\/FlashTool\nRunning as root.\nUsed java home : \/usr\n03\/057\/2020 16:57:14 - INFO - <- This level is successfully initialized\n(Flashtool:8027): GLib-CRITICAL **: 16:57:14.971: g_base64_encode_step: assertion 'in != NULL' failed\n(Flashtool:8027): GLib-CRITICAL **: 16:57:14.971: g_base64_encode_step: assertion 'in != NULL' failed\n...<\/pre>\n\n\n\n
root$ rm decrypted\/*ta\nroot$ rm decrypted\/boot\/*ta<\/pre>\n\n\n\n
root$ echo 'SUBSYSTEM==\"usb\", ACTION==\"add\", ATTRS{idVendor}==\"0fce\", ATTRS{idProduct}==\"*\", MODE=\"0777\"' > \/etc\/udev\/rules.d\/51-sony.rules\nroot$ service udev restart<\/pre>\n\n\n\nroot$ mv newflasher.x64 decrypted\nroot$ cd decrypted\nroot$ chmod +x newflasher.x64<\/pre>\n\n\n\n
root$ .\/newflasher.x64\n\n[...]\n\nReboot mode at the end of flashing:\ntypa 'a' for reboot to android, type 'f' for reboot to fastboot, type 's' for reboot to same mode, type 'p' for poweroff, and press ENTER.\na\n\n[...]\n\nOptional step! Type 'y' and press ENTER if you want dump trim area, or type 'n' and press ENTER to skip.\nDo in mind this doesn't dump drm key since sake authentifiction is need for that! But it is recommend to have dump in case hard brick!\nn\n\n[...]\n\nRecommended step to skip this! Type 'y' and press ENTER if you want flash persist partition, or type 'n' and press ENTER to skip.\nMore info https:\/\/forum.xda-developers.com\/xperia-xz1-compact\/help\/android-attest-key-lost-bootloader-t3829945\nn\n\n[...]\n\nDevice is put now out of flash mode.\nSent command: Sync\nWaiting sync to finish\u2026\n\u2026\u2026\u2026\u2026\u2026\u2026 done\nSent command: continue.\nDone.\nClosing device.<\/pre>\n\n\n\n